Federal (Canada) Privacy Decisions

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a Trimac truck driver concerned about audio and video recording in his truck cabin. The OPC found that while Trimac had legitimate safety and asset protection goals, the continuous audio recording was too intrusive, especially when drivers were off-duty. Trimac was also not initially transparent about using the data for disciplinary purposes, failing to meet consent requirements under PIPEDA. Trimac has since implemented changes, limiting audio recording to on-duty hours and improving data access controls. The OPC found the complaint conditionally resolved regarding the intrusive nature of the recording and resolved regarding the consent issue, accepting Trimac's remedial actions.

• Appropriateness of continuous audio recording in truck cabins, including during off-duty hours.
• Whether Trimac provided adequate information about the use of collected data for disciplinary purposes.
• The proportionality of privacy intrusion versus business benefits.
• The requirement for employee consent for data collection in an employment context.

Following a data breach involving the Starwood hotel database, the Office of the Privacy Commissioner of Canada (OPC) investigated Marriott International, Inc. The investigation found that Marriott's security safeguards, accountability measures, and information retention practices were inadequate at the time of the breach, leading to unauthorized access to personal information. While Marriott has taken remedial actions and the complaint is conditionally resolved, the OPC highlighted failures in access controls, antivirus software, logging and monitoring, and information storage. The OPC also found Marriott contravened accountability principles by not adequately assessing security risks during its acquisition of Starwood and retaining personal information longer than necessary.

• Adequacy of security safeguards for personal information
• Marriott's accountability and due diligence during the acquisition of Starwood
• Timeliness of information retention and deletion practices
• Adequacy of notification and mitigation measures for affected individuals

A joint investigation by the OPC and three provincial privacy authorities found that Tim Hortons collected granular location data from users of its mobile app without an appropriate purpose and without valid consent. The company tracked users' locations even when the app was closed, inferring details like home and work locations, ostensibly for targeted advertising, but ultimately did not use the data for this stated purpose. The investigation also raised concerns about contractual protections with a third-party vendor and Tim Hortons' overall accountability.

• Collection and use of granular location data for an appropriate purpose
• Obtaining valid consent for location data collection
• Adequacy of contractual protections for data processed by third parties
• Tim Hortons' accountability for privacy practices

This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.

• Whether the personal information involved in the breach posed a real risk of significant harm (RROSH) to affected Canadians.
• Whether MGM adequately assessed the RROSH.
• Whether MGM reported the breach to the OPC and notified affected Canadians as soon as feasible.
• Whether MGM's delay in assessing the breach and notifying Canadians contravened PIPEDA's mandatory breach reporting obligations.

Biron Health Group sent promotional emails to travellers who had undergone COVID-19 testing upon arrival in Canada, using their email addresses collected for testing purposes. The complainant alleged this violated PIPEDA. Biron argued they assumed implicit consent due to a business relationship, but the OPC found this assumption unreasonable given the mandatory nature of the testing. Biron has since ceased the practice, deleted affected email addresses, and the complaint was settled.

• Use of personal information for secondary marketing purposes without consent
• Reasonableness of assuming implicit consent in a mandatory service context
• Nature of consent required for collecting and using health-related information

The Office of the Privacy Commissioner of Canada investigated a complaint that Rogers Communications Inc. improperly enrolled a customer in its voiceprint authentication program, Voice ID, without her consent. The OPC found that while the purpose of the program was appropriate, Rogers failed to obtain valid and meaningful consent for the collection and use of voiceprints, which are considered sensitive biometric information. Rogers also did not provide a clear opt-out mechanism and improperly retained voiceprints. Rogers committed to significant changes to its program, leading the OPC to find the consent and retention issues well-founded and conditionally resolved.

• Appropriate purpose for collecting voiceprints
• Obtaining valid and meaningful consent for voiceprints
• Adequacy of opt-out mechanisms
• Retention of voiceprints after opt-out